IETF119
Note-taker: Justin Richer, Pieter Kasselman
Presentation:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-sd-jwt/
Brian gave an overview of the SD-JWT mechanisms
it's a hash-based mechanism for selective disclosure
aims to be easy to use for familiar algorithms
structure:
to reveal:
also a key-binding JWT (KB-JWT)
new since last time:
Open Issues:
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues
Discussion items
PR394: SD-JWT has different security properties depending on whether
KB is present or not.
PR 414 Revisiting JSON serialization (again)
Next Steps:
Peter Liu: use cases for comparing age to threshold; is there an
algebraic formula for disclosure?
Brian: no, you can expose the whole birthday or add new claims like
age_over_21 and disclose only that
Richard: thanks to the authors, have pushed a ton of issues and they've
been great
Use of extra time:
Presenter: Mike Jones
What is this for? See the last presentation from IETF118
Change ssince 118:
All known issues are addressed
Time for WG Last Call?
Chairs: Will start WGLC after meeting
Kristina: how much implementation experience?
Mike: All OID Fed use it
Kristina: it's mandatory?
Mike: yes
Atul: This is useful in the context of SSF as well; this makes it
possible for RS to get a token far more capable than what it needs
Hannes: will you review during WGLC?
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-browser-based-apps-bcp/
Presenter: Aaron Parecki
What is it?
Major re-structuring (main changes)
then going through patterns and how they solve attacks
clarifications on cookie encryption
Next Steps:
Chairs will issue WG LC
- Justin (already done, not doing it again), Tim Cappalli, Andy
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-transaction-tokens/
Presenter: George Fletcher
what is it?
changes:
workload identifiers
token request
request processing at TTS
creating replacement tokens
added section on passing tokens between servers
updated security considerations
Issues https://github.com/oauth-wg/oauth-transaction-tokens/issues
Shold we separate transaction tokens from other formats than JWT
Justin: Initial motivation - architectural cleanliness. Format
and data model for th token, format and protocl for exchanging
token. All is rolled together. Are we tying it together out of
convenience, or do we need abstractionpoints. . Combines format,
data model and binding.
Dean
chairs:
Brian: you do declare a header, you need to to through the process
Atul: on header, good to decide, increase interop
Justin - Ask for early review from HTTP directorate. Can use
authorization header or custome header. George - May want to use it as
seperate header as authroization header is used for other purposes.
AJ Stein: Heads up to its authors, very minor thing: the transaction
tokens I-D in datatrack doesn't have the GitHub metadata on the page to
find the repo for this draft, so it could help to save me 1-2 Google
searches like the others (I lurk and getting my legs, not a frequent
OAUTH contributor yet or would have guessed the GH repo org).
https://github.com/oauth-wg/oauth-transaction-tokens/issues/72
Presenter: Kelly
background:
solution:
uses token exchange and assertion framework
variations
claims transcription
changes
open issues
https://github.com/oauth-wg/oauth-identity-chaining/issues
Aaron: curious about send-constraining mechanism; is there anything
that's unique to this?
brian: there's a lot of variations, depending on who's calling who and
chaining what that make constraining really difficult
Pieter: we need to write down the scenarios and work through them one by
one; sometimes it's impossible and we need to be explicit why not
Presenter: Aaron Parecki
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-identity-assertion-authorization-grant-00
Profile of identity chaining across domains
context/problem:
Building blocks:
Why bother profiling?
not imposing any new restrictions to final access token response
status
George: sounds like we're bootstrapping on the id token to identify the
token and creating an access token off of that; in the sense of
accessing APIs
Atul: could this be a profile of identity chaining and not a separate
spec?
Pieter: we may see additional profiles, keeping it as a separate
document makes sense; I think we will see 2-3 more
Kristina: naming of the draft is confusing; aligning to make it more
clear
Atul: can this work also with SAML?
What are next steps for WG adoption?
Chairs: let this cook a little bit, expect more reviews for other
document; if you find people who are interested outside Okta, that would
be a good indication for call for adoption
Mike Jones: read the PR and commented on it; in my mind, an SD-JWT with
or without KB is an SD-JWT, not a new media type
Richard: in some degree it's an optional feature, but it gives you
different security features; we need to make sure that the verifier
knows what properties they're getting
Hannes: wouldn't an attacker just change the media type? similar to
attack in LAMPS; from LAMPS, couldn't we incorporate something in key
derivation?
richard: much like alg:none, if you arrange your policy you won't be
vulnerable, but people in practice don't arrange their policies
Mike: it's not just terminology, there's a different media type, and
it's extraneous; media type doesn't add security properties
John Bradley: SDJWT has a confirmation method, receiver has to verify;
that's what drives whether or not it's key-bound SDJWT
Brian: media type isn't meant to be validatation
John: stronger argument for media type is for requesting, than for
requiring checking confirmation
Richard: we should never have an interface that you should shove either
SD-JWT and SD-JWT-KB
Brian: confirmation claim isn't the only way to express it, not the only
way to drive checking KB, can also be on policy
John: both types will be received over the same flow by the verifier
Richard: it needs to
john: but it doesn't right now
Kristina: don't want to solely discuss on media types
Joe: being able to differentiate makes it clearer how to apply policy,
seems like a good idea
Mike: fine with clarity, don't need explicit syntax for it b/c you have
to check it
Kristina: then why do you need JWT types?
Mike: 'typ' value is part of the signed structure, but recipient only
gets value from it by checking it at runtime for checking it
Brian: media type is just naming to signal this
Kristina: specific example uses same value
Hope we have spare time to continue this!
Notetaker: George Fletcher, Pieter Kasselman, Yaroslav Rosomakho
https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessc-sd-jwt-vc
What's next
SD-JWT VC as the proposed solution
Defines set of required and optional claims
How to get there
Hannes: Where is the proposal? Daniel to share. Type metadata.
Questions:
Mike Jones: generally we take approach of ignoring things that you
don't understand - how would this work for SD JWT VC.
Hannes: How to ensure use cases outside of the EU are covered?
https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-token-status-list
Unsigned status list support
Discussion: Provide all StatusLists
Discussion: Identifier list?
Discussion: status IANA registration?
Comparison of status mechanisms
Questions:
Orie Steel - Header vs payload discussion is interesting
Pieter - add security considerations for not signing status list
Kristina - would like it to be the same draft
Nick - similar concept in the W3C
verifiers and probably not detect if interacting with a malicous
status list provider
Paul: addressed some in the Privacy Consideration section
Ray -
Reviewers for the document
https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/
two proposal
Is there an option to make better use of DPoP
Use of attestations outside of client authentication
Discussion:
Questions:
Muhammad - related to work in RaTS working group
Justin - client attestation is NOT client authentication
Brian - DPoP is intended for proof of an instance key, and this
is such a case
Aaron - likes the header approach
Hannes
Kristina -
Tim (in chat)
Putting question in chat since I don't think we're going to
have time.
Using Play Integrity as an example, those statements are only
available to app owner, and aren't intended to (and in some
cases can't) be shared across party lines.
WebAuthn addresses this with a set of predefined attestation
formats that are intended to be shared between multiple parties.
These attestation semantics also address the concerns around
sharing identifiers across parties.
So how does this work in practice while preventing a user from
being tracked across parties?
Is there another document that talks about the actual use of
these attestations and defines the contents of the JWT?
https://datatracker.ietf.org/doc/draft-demarco-oauth-nonce-endpoint/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessc-nonce-endpoint-status-attestations
/nonce
endpointintended for use beyond OAuth and JSON
Questions:
Hannes - concept of scope and aud are OAuth specific
Ray - looks a lot like the NIST randomness beacon
link:
My opinion is that a nonce must be generated at a very low
level and locally and not obtained from a server.
Pieter - how to use in the context of a transaction
Brian - provisioning-by-error
Justin - concern with the value of the spec
Mike - responding to a comment by Brian
Aaron - I just wanted to point out the massive difference
between client-generated nonce like OpenID Connect and
server-generated nonce like DPoP
https://datatracker.ietf.org/doc/draft-demarco-oauth-status-attestations/
What is the Status Attestation, its purposes and benefits
Questions:
Hannes - restandardizing PKIX mechansisms ?
Monty - terminology
John - likes validity stapling
George
Working group encouraged to read the document and provide feedback
on the list
https://datatracker.ietf.org/doc/draft-zhang-jose-json-fine-grained-access/
Slides:
https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-json-fine-grained-access
Hannes provided a link that may be similar to this proposal
(RFC9237)
Related docs:
Questions:
Notetaker: Mike Jones, Yaron Sheffer
Pieter Kasselman presented about
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/
Pieter summarized the problem being solved
Gave the example of QR-code based flows
Described attackers tricking the user
-05 added actionable guidance to implementers
(See the "How to use the draft" slide)
Top recommendation is to find a way to establish proximity
The draft enumerates formal methods evaluations on the topic
We need reviewers
Hannes asked whether we should start WGLC to elicit reviews
Pieter said that the purpose is to get feedback
Monty, Dean, Roy, Ralph, Hannes volunteered to review
Pieter plans to publish an update before the WGLC starts
Aaron Parecki presented about
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
Aaron summarized changes since IETF 117
Aaron discussed confused implementations of ClientID+ClientSecret
encoding
He asked whether we should restrict the client_id and client_secret
syntax to alphanumerics only to avoid this mess completely
Filip Skokan said that implementations faithfully implementing RFC 6749
won't interoperate with Google
Yaron said that allowing characters beyond alphanumerics would be useful
for discovery of secrets in logs and code
George Fletcher asked about migration
Justin Richer said that even if we changed the alphabet, Google would
still be noncompliant
... It doesn't bite you until it does
... Using the Authorization Basic header lets people get away with
different things
... :shrug:
Mike J.: My former employers' client IDs include special characters and
they're unlikely to change that.
... Also, we kinda committed not to change the protocol is 2.1.
... The fact that people implement the spec incorrectly is orthogonal to
what the spec says.
Brian Campbell: people are prefixing their secrets. Also, people using
URIs as client ID.
... I am skeptical of this change.
Michael Fraser: In Open Banking Brazil, the Client ID is the base URI
for the Federation.
Filip: learned about prefixing of secrets. Most interoperable is to
encode everything except some set of chars. LEt's continue the
discussion on GH.
Mike J.: OpenId Fedederation also uses HTTPS URLs as Client IDs
... We need to keep the full character set
Aaron: more discussion to be had.
... Presented a proposed timeline, WGLC by IETF-121.
... Expects lots more work resolving open issues
... A lot of work remains
Hannes proposes a virtual interim in June. Aaron concurs.
Dean Saxe presented about
https://datatracker.ietf.org/doc/draft-cecchetti-oauth-rar-cedar/
Individual draft proposing a RAR profile for the Cedar authorization
language
Usama: please say more on formal methods. Sarah: this is on GH.
Sarah C.: Repository online at github.com/cedar-rust
Dean: Primary use case to standardize a Cedar policy set
... Presented a set of open questions
... This is the first profile on RAR
Yaron: It doesn't need to work for Open Banking
... At the high level, the draft needs to say to which areas this is
going to be applicable
George Fletcher: One possibility is to embed the Cedar syntax in my
access token.
... Take the RAR input and transform it into Cedar policies.
Ralph Bragg: ISO standardized a format for financial services
transactions.
... I can't see them updating these to adopt Cedar.
... In most cases the RS and AS are owned by the same domain.
... The Access Token is opaque to the RS.
... Introspection for a RS versus an RP is different.
... This can add complexity.
Brian: The whole idea of RAR was to provide a bucket that you can put
stuff in. What it is is indicated by a type field.
... Use cedar-policy.com as the type value
Justin Richer: The idea behind type in RAR is to specify what's in the
RAR data structure.
... I believe this is just syntactic massaging of what you already have.
Brian: Less syntactic is whether this makes sense.
... You can put Cedar policies in your Access Tokens without RAR.
... The idea behind RAR was to give the client a rich language to
express what it's requesting authorization for.
... I don't know that the client needs to be exposed to Cedar policies.
(There was back-and-forth between Dean and Brian about the nature of the
interactions between the components.)
Sarah: The client may not know what it has access to.
Brian: I'm still not clear on the need for the Client to express Cedar
policies. It feels like there's a disconnect. It's profiling the wrong
building block provided by OAuth.
... You don't need RAR to embed policies in the Access Token.
Brian: It feels more like an Access Token profile - maybe with a broader
scope.
... Enabling a flow between the AS and the RS.
Michael F: (Talked quickly about translating between things) Cedar is
probably too complex to use near the end user, and translate the Cedar
policy into UI. Reiterates that this is more appropriate inside of the
access token.
Pieter: This graph shouldn't be extensible to other policy languages.
... Are you planning to bring Cedar into the IETF to standardize here?
Dean: An open question is how to normatively refer to Cedar when it's
not standardized by an SDO.
Hannes: to be investigated.
Dima: The client doesn't need to know the policies. There is some
utility to sharing this information in a closed ecosystem.
... A bit of "why" could help.
Atul T: Policies can be longer lived.
Dean: As you know from the AuthZen WG, there's a lot of work on
externalizing authorization.
Hannes: This has triggered a good discussion. I suspect you have enough
information to update the document. We'll be coming back to this.
George Fletcher presented about
https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
George described what is happening today.
Described flows, goals, and reusing existing things.
Proposes a new Authorization Challenge Endpoint.
.. Accepts parameters that would have been in the query string to the
Authorization Endpoint.
... Described why a new endpoint. PAR is very specific about how it's
used.
... Expected to be executed in a Web context.
... Described changes since IETF 118
Sent a message to the list about a generic OAuth POST request framework
... Didn't see any interest
Feel like spec is good enough to ask for WG adoption
... Could also describe how to use PassKeys for authentication
Hannes: I'll do a poll on who has read the draft.
... Yes: 5, No: 12, no opinion: 1
Hannes: Maybe we can recruit more reviewers, then do a call for adoption
on the mailing list.
Yaron: Are there specific implementations?
George: I don't know of specific implementations.
Yaron, Filip, and Ralph offered to review
Hannes: I'm reluctant to pull the trigger on adoption during the last
session, given low attendance and tired participants.
Brian: It feels like there's not a lot of reviewers and low energy, so a
call for adoption seems unwarranted.
Hannes: This feels like one of a series of recommendations for a
specific environment.
Brian: This is a whole new protocol. The other things like Browser-based
Apps were codifying existing practices.
... I did read the prior draft and my feedback has been largely
addressed.
... So I am involved.
Ralph: The industry is very lacking in guidance on first-party
applications. If anything, the need is getting more and more pressing.
... A standard to facilitate adoption would be great.
... There are four markets going live in the Middle East.
Roman: I'd like to see this problem solved. That said, I'd like it go
further before we do a call for adoption.
George: That's super helpful.
Aaron Parecki presented about
https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/
He described apps and app backends
... This adds a new endpoint at the AS
The goal is a lightweight revocation endpoint
... There's no negotiation and no wiggle room
He did a survey of existing token revocation/logout standareds
... There's no standard doing what this is trying to achieve
Input to Global Token Revocation required to be authenticated
... Uses SecEvent subject representation
Outcome is that refresh tokens and access tokens are revokved
He enumerated changes made since IETF 118
There are implementations in progress
... He can only name Okta's at the moment
Aaron asked if it's time for working group adoption
Atul T: Can this be expressed as a profile of Shared Signals Framework
(SSF)?
Aaron: The main concern with that is that SSF has subtleties, versus
whereas this is started to be a clear signal causing a specific action.
... Signals from SSF could be part of the input to the decision engine
causing this command to be used.
Hannes: Only two people have read the document
.. It would be good to have people chime in the list about why they
think this is useful work
Richard Barnes presented about
https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md
He described the normal JWT lifecycle
... Relies on Web PKI
... Used by OpenID Connect
Seeing new patterns for Verifiable Creentials
What if the JWK Set is not available?
... It could be offline
... The key might not still be in the JWK Set
Stick an x5c in the header
Then can reason about whether the JWT is still valid
... No validate-time dependency
Mike Jones helpfully pointed out that OpenID Federation uses Signed JWTs
... The only difference is the x5c
... Redistributable proof of authority
It maps to a lot of use cases
It's super-early stuff
... It's in a repot - no published draft yet
Roy: There's a lot of overlap with what's being done by SCITT
... How do you do revocation in this model?
Richard: This is using an intermediate certification
... And you can do certificate-based revocation
Justin: What's the difference between just using the certificate and
using the signed JWK Set?
Richard: There's a discussion of this in the document
... We want to not perturb the JWTs that are already out there
Justin: So the x5c is effectiely the CA? RB: yes.
Mike J.: I've read the draft and agree with parts of it
... People have been using signed JWK for at least 8 years
... The Signed JWK Sets are similar to those in OpenID Federation
... The draft title should highlight that the innovation is that it
defines a way to validate a JWT issuer using a PKIX cert but not TLS
Rohan: I've been thinking about writing a draft like this for a while.
... In response to the revocation question, the cert could contain a CRL
revocation point, which you would check in the normal way
... The most important thing that we're dancing around is "Why do you
want to unlink the identity from the WebPKI?"
... What's done in the OAuth WG is provide a way to do authorization
using WebPKI
... I think it's useful